How Windows tech support scammers walked right into a trap set by the feds

Sometimes scammers are just as likely to fall for a good con as anyone else.

Three weeks ago, Jack Friedman got a call from a man with an Indian accent claiming to be from the Windows technical team at Microsoft. Friedman, a Florida resident who is my friend Elliot's grandfather, was told by "Nathan James" from Windows that he needed to renew his software protection license to keep his computer running smoothly. "He said I had a problem with my Microsoft system," Friedman told me. "He said they had a deal for $99, they would straighten out my computer and it will be like brand new."

Friedman's three-year-old Windows Vista computer was running a bit slow, as many PCs do. Friedman is often suspicious of unsolicited calls, but after talking with Nathan on the phone and exchanging e-mails, he says, "I figured he was a legitimate guy." Friedman handed over his Capital One credit card number, and the "technician" used remote PC support software to root around his computer for a while, supposedly fixing whatever was wrong with it.

"I could see my arrow going all over the place and clicking different things on my computer," Friedman said. But that $99 Capital One credit card charge turned into a $495 wire transfer. Then Bank of America's fraud department called Friedman, and said, "somebody is trying to get into your account." Whoever it was had entered the wrong password multiple times, and as a precaution Friedman's checking account was shut down.

Capital One restored his lost $495, but the hassles didn't end there. Because of the action Bank of America took, Friedman's checks started bouncing. He's had to change passwords on all his accounts, get new credit cards, and pay a real computer technician $75 to clean out all the junk installed by the scammer.

Friedman is one of thousands of people hoodwinked by this Windows tech support scam, which authorities say has bilked unwitting PC owners out of tens of millions of dollars. Friedman's story shows that the scam is alive and well even though the Federal Trade Commission shut down a bunch of the companies allegedly doing the scamming, as we reported in early October. The FTC filed six lawsuits against more than 30 defendants, a number of whom are in settlement talks with the FTC to end litigation.

Those lawsuits show that the Windows tech support scammers are often just as likely to fall for a good con as anyone else.

To catch a thief: One phone call is all it takes

Enlarge/ FTC Chairman Jon Leibowitz at a Washington, DC press conference on the support scams.

FTC

The Windows tech support scammers all follow the same general script. There are nuances and differences, but the process of convincing people who answer the phone that their PCs are riddled with viruses never changes too much.

You might think that if you spent your whole day calling people on the phone to scam them, if your paycheck depended upon fooling the gullible, that you'd be pretty good at detecting a scam yourself. But ultimately, the people doing the scamming aren't likely to be the masterminds. They're just the work-a-day drones doing their employer's bidding—perfect targets for the undercover investigators at the FTC.

When the FTC announced its crackdown on the tech support scammers, the agency played a recorded undercover call but otherwise didn't spend much time talking about how they tracked the defendants down in the first place. Court documents the FTC subsequently sent our way show that it was rather easy. Or, more precisely, once the difficult groundwork of tracking down the scammers had been laid, the scammers walked right into the FTC’s trap, as gullible and helpless as the victims whose bank accounts they raided.

Declarations and transcripts FTC agents filed in US District Court in Southern New York show just how the operations went down. These documents were filed along with the initial complaints, but for whatever reason they did not make it onto the Public Access to Court Electronics Records (PACER) system.

“Did you just call me?”

In a typical Windows tech support scam, the scammer calls up a random person, informing them that their computer has been hijacked by viruses and that the scammer knows this because as a member of the Windows technical support team they can track any computer connected to the Internet. Next, the scammer directs the victim to look at the Windows Event Viewer, a standard part of the Windows operating system that displays mostly harmless error logs. From there, the scammer convinces the victim that these error logs are signs of serious infections and that they need to pay some cash to make the infections go away.

They couldn't even verify whether they had previously called the number used by the undercover FTC agent.

We previously regaled you with the tales of angry and creative citizens of the Internet who turned the tables on the scammers by performing elaborate trolls, and also of Ars editor Nate Anderson’s experience playing along with a scam call in order to document what happened.

But that requires waiting for one of the calls to come. What if it doesn’t? The FTC’s strategy of gathering evidence involved having trained agents go undercover as helpless consumers. No surprise there. But instead of waiting for a call, the FTC’s investigators called up the scammers themselves, using undercover identities not associated to the FTC.

"On or about February 14, 2012, when I dialed (888) 408-6651, a representative answered, ‘Thank you for calling tech support. My name is Victor. How may I help you?’ I said that I had a received a call, the caller had said something about my computer and Microsoft, and that I wanted to know what this was about."

So begins one of the meaty parts of a declaration by FTC investigator Sheryl Novick, who conducted the stings along with FTC paralegal specialist Jennifer Rodden. Novick hadn't received any call—she just called one of the numbers that appeared in numerous consumer complaints. Novick's statement comes from a case against Zeal IT Solutions, but most of the stings went down the same way. Novick's declaration continues:

Victor said they were a tech support company, providing service mainly to Windows users. He told me the name of the company was "Support One Care" and later said they were located in the Eastern part of India. After taking my information, Victor explained that I got a call because they were doing a check-up call for the computer. He asked if my computer was facing any problems but I told him I wasn't sure. He said he was with the technical department and that he'd have to connect me with the registration department and they would call me back. He said I could view their website at ‘www.supportonecare.com’ to see the details of the services they provide.

We hung up because he said he would call me from his number to show me the computer's infections. But he called me back shortly after to tell me someone else would be calling me soon. I received a call back that same day from someone who identified himself as Robin Wilson from the computer technical department of Support One Care. He said they were calling me "because from the past two months, whenever the Windows user have been going online, at that point of time, some malicious infections are automatically getting downloaded... 90 percent of the Windows user have these malicious infections in their hard drive."

He said they were calling to make me aware of the infections.

And the trap was sprung. Although the scammers typically tried to hide their identities and locations by using voice over Internet protocols, they didn't do much else to protect themselves. Windows tech support cold callers have told some victims they have a massive database notifying them each time a computer connected to the Internet is infected. In reality, they're not so omniscient. They couldn't even verify (or just didn't bother to verify) whether they had previously called the number used by the undercover FTC agent. The scammers took the FTC agent's statements at face value and played along more than enough to get shut down and hauled into court.

116 Reader Comments

Edit: I also wish the Indian government would do something about this filth. It's really hurting their reputation, I know people who simply hang up the second they hear an Indian accent now...

I've operated that way for years. If the number shows as "UNKNOWN" I won't answer it at all. Caused a problem a few times since my wife's doc IS Indian.

A question or two for John Brodkin

1. Is the scamming that's going on illegal in India? It might not be.

2. If the caller ID shows a phone number in the US or the call comes out of a US phone number VOIP service, does that make the call a crime instead of a "bad business practice"? FTC really is only enforcing regulations not criminal laws by offering settlements.

Illegal? Yes, prettty much. I guess our laws are pretty vague when it comes to internet crimes. We end up arresting people for protesting a mumbai shutdown on facebook on one hand, and still, things like this fly under the radar. I guess we really need to have stronger Law related to Information Technology. This kind of shit makes us look bad.

These buggers are phoning all over the world. My father in law knows enough about computers to play his Facebook games. He got roped in by one of these schmucks.

Luckily he knows his limits and doesn't have a credit card, so when they started getting technical and asking for card details he asked if he could get me to phone them back. That was fun.

Them - Click on the Start buttonMe - Ok. Clicked on Start button, now my computer is shutting down, do you want it off for your tests? Them - No, I said click on Start button, not the power button.Me - But that's the button I start my computer with.

about 20 min later

Them (rather irate by now) - Ok, what version of Windows are you running.Me - I think it's Windows Android. Them - .........click

Let's say they use the exact same MO to scam people, asking credit card number, saying they will charge $99 for the service and all.But, they do charge "only" $99, nothing more, install a logmein client and do whatever it takes to make the trick and that's all. This "customer" is registered as a "credible dumb-ass" and you keep its phone number.And then, 6 month later, you call him again, asking $25 for a software update. For this update, you try to be synchronized with the IT news, with a big fat virus on rampage with all the news speak of it.And then, you can ask for more money, up to twice a year in a regular basis.

I'm sure this will work, if you don't get too greedy. So why do they try to rob people with a $450 charge and eventually get caught?

Let's say they use the exact same MO to scam people, asking credit card number, saying they will charge $99 for the service and all.But, they do charge "only" $99, nothing more, install a logmein client and do whatever it takes to make the trick and that's all. This "customer" is registered as a "credible dumb-ass" and you keep its phone number.And then, 6 month later, you call him again, asking $25 for a software update. For this update, you try to be synchronized with the IT news, with a big fat virus on rampage with all the news speak of it.And then, you can ask for more money, up to twice a year in a regular basis.

I'm sure this will work, if you don't get too greedy. So why do they try to rob people with a $450 charge and eventually get caught?

I really don't get it.

Greed makes people dumb. They want the quick, short-term payoff, rather than the long slow one, because (my guess) they won't be around in a year or two.

Let's say they use the exact same MO to scam people, asking credit card number, saying they will charge $99 for the service and all.But, they do charge "only" $99, nothing more, install a logmein client and do whatever it takes to make the trick and that's all. This "customer" is registered as a "credible dumb-ass" and you keep its phone number.And then, 6 month later, you call him again, asking $25 for a software update. For this update, you try to be synchronized with the IT news, with a big fat virus on rampage with all the news speak of it.And then, you can ask for more money, up to twice a year in a regular basis.

I'm sure this will work, if you don't get too greedy. So why do they try to rob people with a $450 charge and eventually get caught?

I really don't get it.

The money is icing, the real cake (profit) is in onselling the ID details they got off the poor bastard for Identity Theft.

This wouldn't happen if:• People weren't so corrupt (not going to change soon),• People weren't so gullible (not going to change soon),• US customers didn't get the currency of world trade in their wage packets (probably won't change soon, looking at the poor range of alternatives; but let's be fair and call this an unfair advantage for many US citizens over people in places like India — although this doesn't in any way justify theft or fraud),• China, India, Russia, Nigeria etc., would start policing crimes of this sort more vigorously (someone at the State Department needs to get onto this and start knocking some heads together).

This wouldn't happen if:• People weren't so corrupt (not going to change soon),• People weren't so gullible (not going to change soon),• US customers didn't get the currency of world trade in their wage packets (probably won't change soon, looking at the poor range of alternatives; but let's be fair and call this an unfair advantage for many US citizens over people in places like India — although this doesn't in any way justify theft or fraud),• China, India, Russia, Nigeria etc., would start policing crimes of this sort more vigorously (someone at the State Department needs to get onto this and start knocking some heads together).

It's not just the US. I'm Australian, and have received around a dozen calls from "Windows" over the last year. We've tried the "My Mac has Windows?", the "talk softly and carry a loud whistle", the "hold on while I get my wife/husband", and even "Can you tell me your home number and when you'll be at dinner so I can interrupt that?"... strangely, we haven't received a call in the last couple of months.

One thing confuses me about this story. Am I right in thinking that some of these companies, instead of being based in India and pretending to be American, are actually based in the US and pretending to be Indian? That would be hilarious.

This wouldn't happen if:• People weren't so corrupt (not going to change soon),• People weren't so gullible (not going to change soon),• US customers didn't get the currency of world trade in their wage packets (probably won't change soon, looking at the poor range of alternatives; but let's be fair and call this an unfair advantage for many US citizens over people in places like India — although this doesn't in any way justify theft or fraud),• China, India, Russia, Nigeria etc., would start policing crimes of this sort more vigorously (someone at the State Department needs to get onto this and start knocking some heads together).

It's not just the US. I'm Australian, and have received around a dozen calls from "Windows" over the last year. We've tried the "My Mac has Windows?", the "talk softly and carry a loud whistle", the "hold on while I get my wife/husband", and even "Can you tell me your home number and when you'll be at dinner so I can interrupt that?"... strangely, we haven't received a call in the last couple of months.

One thing confuses me about this story. Am I right in thinking that some of these companies, instead of being based in India and pretending to be American, are actually based in the US and pretending to be Indian? That would be hilarious.

The companies are located in India, they are likely using VoIP Services to get numbers located in the US, so they appear to be legit.

I too want to receive a call, I plan on pretending to be Bil Gates running an early build of Windows Blue :-)

Hold them on the phone for a few minutes, get someone the other side of the room to shout "Got them sir! Local search team is on their way there now..."

Then politely inform the guy that their company has been traced and let him know that if he doesn't want to get locked up he should walk away from his desk now and never go back there - tell him to let as many of his co-workers know as possible if he wants to get them out of there in time...

If there was ever a legitimate reason to have a 'shock and awe' campaign this would be it. If scammers like in the said story feared the idea of something being dropped on their building that wipes out half their suburb then it might convince them to enter a legitimate line of business.

One of the worst parts at least for me is this is one thing I do "Windows support" and system cleanups. I do it privately through my small business regularly. Of course there are differences I generally work hands on and have not used the remote support capabilities as of yet although I am looking at it. I have used remote support just not in a fully remote auto charge transaction unless of course it was close family, friends etc and generally no charges anyway. This does put a damper on that though as people will gain a distrust of remote support when in all reality there is no difference as computers are native network machines by default.

From the conversations I've had with friends who've worked in the BPO industry here in India, it is very easy to get access to thousands of phone numbers by making a copy of the legit telephone databases used for sales/tech support purposes. Once you have access to a bunch of numbers all you need is a screen sharing software and multiple paypal accounts to transfer your victim's credit card funds into.

As a regular ars reader, I feel sad for how this issue is affecting the Indian BPO industry's perception in the US. It is next to impossible to stop this sort of a thing completely. Unless of course the FTC/FBI pull off a wikileaks and instruct the payment intermediaries (like Paypal) to block the user accounts which are involved in such transactions.

allajunaki wrote:

tkioz wrote:

Edit: I also wish the Indian government would do something about this filth. It's really hurting their reputation, I know people who simply hang up the second they hear an Indian accent now...

.....

Illegal? Yes, prettty much. I guess our laws are pretty vague when it comes to internet crimes. We end up arresting people for protesting a mumbai shutdown on facebook on one hand, and still, things like this fly under the radar. I guess we really need to have stronger Law related to Information Technology. This kind of shit makes us look bad.

The Information Technology Act 2008 is pretty clear about the fact that such activity is illegal. (See Section 66C here) It is just a matter of proper implementation of the law. Not to mention the fact that successful prosecution for such a crime will be abysmally slow, even if its possible, considering how overburdened the judiciary is.

If you think Jesus`s story is flabbergasting..., last month my auntie's boy friend also earned $7591 sitting there ninteen hours a week from their apartment and their friend's aunt`s neighbour did this for 7-months and made over $7591 in there spare time on there pc. apply the steps from this web-site..http://www.youtube.qr.net/jOZj/watch?v=7U-D-DXob

From the conversations I've had with friends who've worked in the BPO industry here in India, it is very easy to get access to thousands of phone numbers by making a copy of the legit telephone databases used for sales/tech support purposes. Once you have access to a bunch of numbers all you need is a screen sharing software and multiple paypal accounts to transfer your victim's credit card funds into.

As a regular ars reader, I feel sad for how this issue is affecting the Indian BPO industry's perception in the US. It is next to impossible to stop this sort of a thing completely. Unless of course the FTC/FBI pull off a wikileaks and instruct the payment intermediaries (like Paypal) to block the user accounts which are involved in such transactions.

Would be nice, but don't think it will help much. If one operation is shut down, savvy operators will simply set up another one. There are shady operations of this type here in the USA, as well. As long as it doesn't involve major criminality, the risk/reward ratio can be quite compelling to the amorally inclined.

The best defense is for consumers to exercise common sense. Sure, it's much more easily said than done, but it sure beats even the best government efforts. These operators know there is no way authorities can stop them all...

It just floors me that this is a civil case, not a criminal one. Even more so that the FTC is negotiating a financial settlement with these scammers. Where exactly do they think this settlement money will come from? These people make a living off scamming people. They will have to scam yet more people in order to settle this civil suit. This is utterly insane. I'm all for seeking financial restitution for the people who have been scammed, but these scumbags need to do hard time in prison. Right now, the FTC's actions are little more than an inconvenience. Any reason why the FTC didn't work with the FBI on this to make a criminal case of it? Or is that coming?

I'd love to see it become a criminal trial, but there's one key problem:

The US doesn't have jurisdiction in India.

Since the companies and persons are in India, we're SOL. We're dependent upon the local authorities in India and most of them are horribly corrupt and crooked.

This is one of those times where a trade embargo or whatnot would actually help to get the government more amicable to working along, and let them take stock with what's wrong within their own country first, IMO.

I actually had a user here at work come to me last week who had one of these calls, they actually asked if he had a Mac or PC. I believe they told him they were from Norton Antivirus or something. When he stated he had a Mac, they told him something about it being infected with a new Mac virus that will steal his identity and that they could fix it while on the phone. I have had a bunch of the calls from "Windows Support", and they are fun to mess with but I haven't had a Mac call yet.

"Well, Bob, my name is detective Lestrade of Clark County homicide. I need to ask you stay on the this phone line as you have called the home of a victim of a murder. How long have you known the victim? How did you get this number then? Random? I find that unlikely as the victim died less than an hour ago and you just happened to call. You are in very serious trouble. Now is Bob your real name? Do you understand you could face the death sentence as an accessory to murder. Ok, where are you? Alright, I need you to stay on this line while we notify Interpol to have your local police bring you in for interrogation. Thank you for your cooperation in this investigation."

In most jurisdictions, claiming to be a detective would count as "impersonating a law enforcement officer", which a crime in most jurisdictions. If someone knows what they're doing, and feels like taking the time, this could give them the leverage to turn the tables. I'm suspect that in these circumstances the odds of being actually charged, much less convicted are essentially nil, but do take it into consideration before deciding to try this. I love your idea, just not sure I'd recommend it.

I think the real question is: are REALLY some Americans so naive to give out their credit card number to the first monkey that calls on the phone and pay for a service they didn't need?

I think the most obvious answer would be: thanks for informing me, I'll call my trusted IT technician/relative/friend/neighbor and have him/her looking into my PC for a couple of beers. Now go and kill yourself (this is case you want to make them aware that you know it is a scam).

"I just know I turn on the computer, I do what I have to do and I don't go further than that," he said

And that comment by the victim in this story is in a nut shell what's wrong with the world today.

This story isn't just about crimes and victim. It's also about the general ignorance and willingness to be ignorant about anything beyond what interests a person that causes so much trouble in the world today.

Whats always made me curious is where they get random numbers like that from, does their script have a random number generator, they just randomly tapping on the numberpad or is there some deep deep meaning to this particular amount?

I was at my cousins when one of them phoned for him, he motioned me to come over so I could listen in. I let him know that I wanted to take the call, he said hang on let me get the owner I took over the call. For about 20 minutes I was acting like I was trying to follow the guys requests and freaking out that something was obviously wrong since what he told me to look for was not there and in a panicked voice I said I was so grateful they called. Once I became bored of stringing him along I said damn I am on an Mac, he must have thought I was a real idiot and they never phoned my cousins house again. This was about 4 months ago.

Or maybe it just seems quick to me, I hadn't encountered too many of these scam calls til the past 6 months or so, when it seems to have skyrocketed...[/quote

You actually answer calls from numbers you don't know?

So wise! I mean, there is not one possible reason that exists for someone to answer unknown or blocked calls. Literally no reason whatsoever for anyone on the planet with access to a phone to do such a thing. Ever.

All calls to my number that I don't have a google contact for are routed to a custom voicemail instructing them to leave a message, including the full name and return call number. Within a minute or two, I get the text feed from the voicemail, and if it's a legitimate company or caller I add their contact number to the appropriate group in GV (I have several, with unique voicemail greetings, what numbers each one rings, and whether or not I'm prompted with their name before answering).

While waiting for the VM, i google their number and see if I can find out who they are. If they are on a known smam/harrasment list, i add them to a special GV group immediately which gives them stern warnings about calling me and threatens FCC and FTC action is they call back so much as one more time without leaving a detailed message explaining why they might have legitimate business with me. If after 3 calls they fail to leave a message entirely, i automatically add them to that same group whether I can ID their number or not. That group has voicemail only, it does not ring my phones at all, and the message indicates their calls are being recorded and traced and will be reported to authorities.

If they continue calling after I group block them, I dump their call history and do report them to the FCC, along with including a text copy of my voicemail greeting. THEN, I dump them in a new group, that group, instead of running to me, forwards the call directly to the FCC abuse hotline 800-835-5322, and I ensure caller ID passthu is enabled. Generally after 1-2 more calls, my number is not hit by that caller again after I go to that step.

I never, EVER answer calls from unknown sources. My home phones do not have caller ID, but that's OK, because calls from people I don't know don't ring (they go voicemail only with a message requiring them to leave a message to get thru), and calls from people I do know either get connected when i answer, or I get to hear who's calling and decide to answer, depending on who they are. My landline is set up to only receive calls from a dedicated number (my own GV number) so unsolicited calls can;t hit that number at all. On my cell, if I see any number other than GV calling, then it's calling me direct and not using GV, and since I have never once given that number out directly, it's either spam or a missdial, and my phone's VM greeting gives them the GV number to dial so I can filter them.

That said, i have identified some spam calls as being associated with this particular PC attack, and I have "approved" those numbers such that if they call me I'll get an appropriate caller ID notice, and I PLAN on answering. I have a Win XP image set up in a VM I can remote to at will specifically created for this, including logging tools enabled. If They spam me on this issue, I'll have a mountain of information to give the authorities about the issue, and i have no fear at all of my information being compromised using that system. (I even have some fake internet history that gets created via scripts, the machine does it's updates, reboots occasionally, has a few apps, etc, to have events in the viewer, all just a dummy machine waiting for attack.) The browser home page(s) are Bank of America, fidelity, and a stock trading site just to bait them further....

I think it would be fun to lead them on for about 5 min with some very short, "yes" , "no" responses. Then hit them with..."I'm sorry what is your name again?""Well, Bob, my name is detective Lestrade of Clark County homicide. I need to ask you stay on the this phone line as you have called the home of a victim of a murder. How long have you known the victim? How did you get this number then? Random? I find that unlikely as the victim died less than an hour ago and you just happened to call. You are in very serious trouble. Now is Bob your real name? Do you understand you could face the death sentence as an accessory to murder. Ok, where are you? Alright, I need you to stay on this line while we notify Interpol to have your local police bring you in for interrogation. Thank you for your cooperation in this investigation."

:-)

It's worth listening to the Tom Mabe series of pranks on Telemarketers. Look for his murder scene bit on youtube.